CSC 7101: Programming Language Structures 1 1 Axiomatic Semantics Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 Overview We’ll develop proof rules, such as: { I b } S { I } { I } while b do S end { I b } That allow us to verify the correctness of a program relative to a formal spec: { m 0 n 0 } z := m; r := n; while r 0 do h := z rem r; z := r; r := h end { z = gcd(m, n) } 2 3 Axiomatic Semantics Concerned w/ properties of program state Properties are described (specified) through first-order logic Axiomatic semantics is a set of rules for constructing proofs of such properties Purely mathematical formalism: an example of a proof system Should be able to prove all true statements about the program, and not be able to prove any false statements
27
Embed
CSC 7101: Programming Language Structures 1bit.csc.lsu.edu/~gb/csc7101/Slides/Axiomatic.pdf · 2017-01-11 · CSC 7101: Programming Language Structures 1 1 Axiomatic Semantics Stansifer
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CSC 7101: Programming Language Structures 1
1
Axiomatic Semantics
Stansifer Ch 2.4, Ch. 9
Winskel Ch.6
Slonneger and Kurtz Ch. 11
Overview
We’ll develop proof rules, such as:{ I b } S { I }{ I } while b do S end { I b }
That allow us to verify the correctness of a program relative to a formal spec:
{ m 0 n 0 }z := m; r := n;while r 0 do
h := z rem r; z := r; r := hend{ z = gcd(m, n) }
2
3
Axiomatic Semantics
Concerned w/ properties of program state Properties are described (specified) through
first-order logic
Axiomatic semantics is a set of rules for constructing proofs of such properties Purely mathematical formalism: an example of
a proof system
Should be able to prove all true statements about the program, and not be able to prove any false statements
CSC 7101: Programming Language Structures 2
4
State
State: a function σ from variables to values
E.g., program with 3 variables x, y, zσ(x) = 9σ(y) = 5σ(z) = 2
For simplicity, we will only consider integer variables σ: Variables {0,-1,+1,-2,2,…}
An assertion represents the set of states that satisfy the assertion
6
Use of First-Order Predicate Logic
Variables from the program In the program they are part of the syntax,
here they are part of the assertion programming language vs. meta-language of
assertions
Extra “helper” variables The usual suspects from first-order logic true false
Operations from the programming language: e.g. +, -, …
CSC 7101: Programming Language Structures 3
7
First-Order Predicate Logic
Terms If x is a variable, x is a term If n is an integer constant, n is a term If t1 and t2 are terms, so are t1+t2, t1-t2,…
Formulas true and false t1<t2 and t1=t2 for terms t1 and t2
f1f2, f1f2, f1, f1f2 for formulas f1,f2
x.f and x.f for a formula f
8
Free vs. Bound Variable Occurrences
An occurrence of a variable x is bound if it is in the scope of x or x An occurrence is free if it is not bound
i.k=i*j: k and j are free, i is bound
(x+1 < y+2) (x. x+3=y+4)
Substitution: f[e/x] is the formula f with all free occurrences of x replaced by e May have to rename variables (more later)
9
States and Assertion
Value of a term in some state σ σ(x) for variable x, n for constant n, the
usual arithmetic for terms t1+t2, t1-t2,…
σ satisfies the assertion t1=t2 if and only if t1 and t2 have the same value in σ Similarly for assertion t1<t2
σ satisfies f1f2 if and only if it satisfies f1 and f2 Similarly for f1f2, f1, f1f2 (i.e. f1f2)
CSC 7101: Programming Language Structures 4
10
States and Assertions
σ satisfies x.f if and only if for every integer n, σ satisfies f[n/x] Which states satisfy x.(x+y=y+x)?
Which ones satisfy f[5/x] (i.e., 5+y=y+5)?
σ satisfies x.f if and only if for some integer n, σ satisfies f[n/x] Which states satisfy i.k=i*j?
11
States and Assertions
{ p } denotes the set P of states that satisfy assertion p
{ p q } P Q; { p q } P Q
{ p } U – P (U is the universal set)
{ p q }: same as { p q } What is { x=2y=3 x=2 }?
Suppose that p q is true; then P Q x=2y=3 x=2, so { x=2y=3 } { x=2 }
12
Examples of Assertions
Three program variables: x, y, z { x = 1 1 ≤ y ≤ 5 1 ≤ z ≤ 10 }: set of size 50 { x = 1 y = 2 }: infinite set { x = 1 1 ≤ y ≤ 5 }: infinite set { x = y + z }: all states s.t. σ(x) = σ(y) + σ(z) { x = x }: the set of all states { true }: the set of all states { x x }: the empty set { false }: the empty set
CSC 7101: Programming Language Structures 5
13
Simplified Programming Language
IMP: simple imperative language
From the code generation example with attribute grammars With I/O added
S is a piece of code (program fragment) p and q are assertions p: pre-condition, q: post-condition
If we start executing S from any state σ that satisfies p, and if S terminates, then the resulting state σ’ satisfies q
Will refer to the triples as results Think “results of proofs”
CSC 7101: Programming Language Structures 6
16
Intuition
In {p} S {q}, the relationship between p and q captures the essence of the semantics of S
Abstract description of constraints that any implementation of the language must satisfy Says nothing about how these relationships
will be achieved
If {p} S {q} and {p} T {q}, S and T are semantically equivalent (w.r.t. p)
17
Valid Results
A result {p} S {q} is valid if and only if for every state σ if σ satisfies p and the execution of S starting in σ
terminates in state σ’ then σ’ satisfies q
Is {false} S {q} valid?
18
Examples
{ x=1 } skip { x=1 }
{ x=1 y=1 } skip { x=1 }
{ x=1 } skip { x=1 y=1 }
{ x=1 } skip { x=1 y=1 }
{ x=1 y=1 } skip { x=1 }
{ x=1 } skip { true }
{ x=1 } skip { false }
{ false } skip { x=1 }
Valid
Valid
Invalid
Valid
Invalid
Valid
Invalid
Valid
CSC 7101: Programming Language Structures 7
19
More Examples
{ x=1 y=2 } x := x+1 { x=2 y=2 }
{ x=1 y=2 } x := x+1 { x 2 }
{ x=1 y=2 } x := x+1 { x=y }
{ x=0 } while x<10 do x:=x+1 { x=10 }
{ x<0 } while x<10 do x:=x+1 { x=10 }
{ x0 } while x<10 do x:=x+1 { x=10 }
{ x0 } while x<10 do x:=x+1 { x10 }
Valid
Valid
Valid
Valid
Valid
Invalid
Valid
20
Termination
A result says: … if S terminates …
What if S does not terminate? We are only concerned with initial states for
which S terminates
{ x=3 } while x10 do x:=x+1 { x=10 }
{ x0 } while x10 do x:=x+1 { x=10 }
{ true } while x10 do x:=x+1 { x=10 }
All of these results are valid
21
Observations
What exactly does “valid result” mean? We had an operational model of how the
code would operate, and we “executed” the code in our heads using this model The result is valid w.r.t. the model The operational model can be formalized In our discussion: an implied “obvious” model
Goal: derive valid results without using operational reasoning Purely formally, using a proof system
CSC 7101: Programming Language Structures 8
22
Terminology
Assertion: may be satisfied or not satisfied by a particular state
Result: may be valid or invalid in a particular operational model
Result: may be derivable or not derivablein a given proof system
Some meaningless statements “{p} S {q} is true”, “{p} S {q} is valid for some
states”, “assertion p is not valid”
23
Soundness and Completeness
Properties of a proof system (axiomatic semantics) A w.r.t. an operational model M
Soundness (consistency): every result we can prove (derive) in A is valid in M
Completeness: every result that is valid in M can be derived (proven) in A
24
Post System
Post system: purely formal, unrelated to programming languages Based on the work of the logician Emil Post Alphabet of symbols Set of variables Term: string of symbols and variables Word: string of symbols
A Post system can be used to express derivations (proofs) of terms
CSC 7101: Programming Language Structures 9
25
Productions
Also called “inference rules”t1 t2 … tn
t
Axiom: rule with no premises A production is a concise representation
of a set of production instances Production instance: each variable is
replaced with a string of symbols (a word)
ti and t: termsti: premisest: conclusion – if all premises are true, so is the conclusion
26
Proofs
Proof = set of production instances Starting from one or more instances of
axioms
Conclusions are subsequently used as premises
The conclusion of the last production is proved (derived) by the proof If a proof exists, the term is provable
27
Example: Unary Numbers
Alphabet{N,|}
Rules x is a variable
NxN Nx|
Proof
NN|N||
CSC 7101: Programming Language Structures 10
28
Unary Number Addition
Alphabet {N,|,+,=}
RulesNx
N Nx|
Ny x+y=z+y=y x|+y=z|
Proof
NN|N||+||=|||+||=|||||+||=||||
29
Better Rules
Alphabet {N,|,+,=}
RulesNx
N Nx|
Nx Nyx+y=xy
Proof
N NN| N|N|| N||||+||=||||
30
Proof System for IMP
Goal: define a proof system for IMP i.e., an axiomatic semantics
Skip axiom: p is an arbitrary assertion
{ p } skip { p }
Examples{ x=1 } skip { x=1 }
{ x=1 } skip { x=1 y=2 }
{ x=1 y=2 } skip { x=1 }
Provable
Not provable (good)
Not provable (bad)
term in the Post system
CSC 7101: Programming Language Structures 11
31
Inference Rule of Consequence
p’ p { p } S { q } q q’
{ p’ } S { q’ }
x y means X Y
x=1 y=2 x=1 { x=1 } skip { x=1 }
{ x=1 y=2 } skip { x=1 }
production;p, p’, q, q’, Sare variables
production instance: each variable is replaced with a word
axiom instance
32
Simplified Versions
{ p } S { q } q q’
{ p } S { q’ }
p’ p { p } S { q }
{ p’ } S { q }
33
Exercise
Show that the following rule will make the proof system inconsistent (unsound) i.e. it will be possible to prove something
that is not operationally valid{ p } S { q } q’ q
{ p } S { q’ }
CSC 7101: Programming Language Structures 12
34
Substitution
Notation: p[e/x] Other notations: pe , p[x:=e]
p[e/x] is the assertion p with all freeoccurrences of x replaced by e To avoid conflicts, may have to rename some
Proof rules (Post system) used to define axiomatic semantics
Must be sound (consistent) and complete relative to the operational model
80
Program Verification
Given an already defined axiomatic semantics, we can try to prove partial or total correctness S is a program fragment p is something we can guarantee q is something we want S to achieve Try to prove {p} S {q} and/or p | S | q
If we find a proof, S is correct
A counter-example uncovers a bug
81
Program Verification
Specification using pre/post-conditions
Need to find loop invariants Express behavior of loop
Backward substitution across multiple assignments
Need to find termination function for proving total correctness